| 45706 |
2021-04-28 09:56
|
vbc.dot 6458c805d50cf972547cc610807a5076
LokiBot Malware download VirusTotal Malware c&c MachineGuid Malicious Traffic Check memory exploit crash unpack itself Windows Exploit Trojan DNS crashed Downloader |
2
http://eyecos.ga/chang/gate.php
http://107.172.130.145/sa/vbc.exe
|
3
eyecos.ga(35.247.234.230) - mailcious
107.172.130.145 - malware
35.247.234.230 - mailcious
|
16
ET INFO DNS Query for Suspicious .ga Domain
ET MALWARE Trojan Generic - POST To gate.php with no referer
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET INFO HTTP POST Request to Suspicious *.ga Domain
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Fake 404 Response
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
5.2 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45707 |
2021-04-28 09:54
|
vbc.exe c78b71720eb0358b7d47ad306eb5e900
VirusTotal Malware Buffer PE suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW human activity check Windows ComputerName DNS Cryptographic key crashed |
|
1
|
|
|
14.8 |
M |
46 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45708 |
2021-04-28 09:54
|
uDUxwumDrV.dll ee03a7aafeaa2e4b937066e5efe8016f
VirusTotal Malware Checks debugger DNS crashed |
|
|
|
|
2.6 |
|
31 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45709 |
2021-04-28 09:52
|
presentation.jar 33b584062b5559c747cc526ced0c33dd
VirusTotal Malware Check memory heapspray unpack itself Java DNS |
|
|
|
|
2.6 |
M |
9 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45710 |
2021-04-28 09:51
|
vbc.exe a931122aaa867ed9767d67823cb8e6a8
VirusTotal Malware suspicious privilege Code Injection Check memory Checks debugger unpack itself Windows Cryptographic key |
|
|
|
|
5.0 |
M |
14 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45711 |
2021-04-28 09:49
|
cc.dot c10fba3ded1f5c313d83ac9f7ff82961
FormBook Malware download VirusTotal Malware MachineGuid Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed Downloader |
5
http://www.adecquo.com/pmc/?RRH=vjDla05s3BwYir9AIyM9qtJMEH6ykGoQMvqSGth8Nv/9Pw1B8DxUB3DqZFlnRD+swTMkapVO&rVBxDv=S0Ghq4
http://23.95.122.25/cc/vbc.exe
http://www.coolblue.digital/pmc/?RRH=vUAXos/W3FKdVA5hdlCIKF5pzGKq7f7QtJqJhVwRzw7HIwgr+5PWnKVzXZj3kVyxMQr8Z77l&rVBxDv=S0Ghq4
http://www.15slotozlo.site/pmc/?RRH=JFva54IOlKVnlpYoc1RFuL3mKqtDw0bOy0bUZ/qRd+Wy0jUa0JT0k3ufM/C3GMX4A5VkykN2&rVBxDv=S0Ghq4
http://www.zuisyoraku.com/pmc/?RRH=4l6fyKTFHDaHe1GcRTEUPSwbRJmK3jvlIAQWbuZctk+ctcpozhtelOPFUCnZPaeJbIh2wtV5&rVBxDv=S0Ghq4
|
9
www.coolblue.digital(198.54.117.211)
www.15slotozlo.site(172.67.178.12)
www.zuisyoraku.com(183.90.250.91)
www.adecquo.com(154.81.19.216)
23.95.122.25 - mailcious
198.54.117.212 - mailcious
104.21.40.63
154.81.19.216
183.90.250.91
|
7
ET MALWARE FormBook CnC Checkin (GET)
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
4.6 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45712 |
2021-04-28 09:49
|
svch.exe 20f6c10325735459625ad37b0cfea696
VirusTotal Malware Buffer PE suspicious privilege MachineGuid Code Injection Check memory Checks debugger buffers extracted unpack itself Windows utilities suspicious process WriteConsoleW human activity check Windows ComputerName DNS Cryptographic key crashed |
|
1
|
|
|
14.6 |
M |
34 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45713 |
2021-04-28 09:47
|
 vbc.exe ea4f3cbb2f990be8628145b8e7970880
FormBook Malware download VirusTotal Malware suspicious privilege Code Injection Malicious Traffic Checks debugger buffers extracted ICMP traffic unpack itself |
4
http://www.sparetimr.net/pmc/?Ez=AlQ1RzJ/kwnlpQLinP/2GByIkuZWaj6fbRJnek0eZ1YVl3+ZWM7od8C6qhD96Nb7SsHk40GT&lhud=Txol_2I
http://www.rwproducedeliveryknoxville.com/pmc/?Ez=mnj0FNt3a7nl1Ql0YoriOJf4cAinzVMKSi3j+C+aJnvhp8rA6ZNo2qczZQeE2eLS4QZ4NBwe&lhud=Txol_2I
http://www.cheikh-faye.com/pmc/?Ez=45Jbv0zHXhCFcWB5cyZRlvCJJu0mHxT7nLQ17GVtdzGeB18Y8Ww2I3k3rk2swPMbwEwxbWWO&lhud=Txol_2I
http://www.theaccountableteamscoach.com/pmc/?Ez=gVzqDSSmhDwCcbrvrqFyqNa496pKegJJtCWYCwkmBn7L/f0dBhMWKcgRHIa8WjOwOWR88Fy0&lhud=Txol_2I
|
9
www.sparetimr.net(198.54.117.211)
www.cheikh-faye.com(154.86.221.17)
www.theaccountableteamscoach.com(34.102.136.180)
www.abbbbha13.art()
www.rwproducedeliveryknoxville.com(198.49.23.145)
154.86.221.17
198.185.159.144 - mailcious
34.102.136.180 - mailcious
198.54.117.210 - mailcious
|
1
ET MALWARE FormBook CnC Checkin (GET)
|
|
8.6 |
|
22 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45714 |
2021-04-28 09:47
|
-....-.-.......dot 1d32e49469b4dc0cd7f5608fc668ac46
Malware download VirusTotal Malware MachineGuid Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed Downloader |
1
http://192.3.22.5/ch/vbc.exe
|
2
192.3.22.5 - mailcious
194.5.98.208
|
6
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
6.2 |
|
25 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45715 |
2021-04-28 09:44
|
presentation.dll 3bbac698f5c61fdd41a04d6b47d46b5c
VirusTotal Malware PDB MachineGuid unpack itself suspicious process WriteConsoleW ComputerName DNS |
1
http://app3.maintorna.com/G30qB58Kk2/BU_2BdgootvFojVON/GZxWNJv1w2ZM/4TW3i3gbDXc/os7U_2B8OYn6Dx/FEJ4_2BXEIYp_2BEtAMOP/FkcnRwmFEGGLN6fE/En2P_2FLKoUyhE5/TcKe5GQI9jDgWmXX7z/9599_2BX4/OH7farLhbSxl3_2BzF7h/akWBEFH1XsZFliYBlra/6GWzvwhnXBMUJdDpd9lvat/nm8MP0jcJ6aC8/MERMX3tw/AT58JGbkfHN7cwZMJmYhvz9/RfVzMTVDXH/Gu_2FcyyAGu1Hwffc/7P_2BbsrgTm0/byY8mc1tE0Q/LLbpnzIiY_2FqI/X3m2IGAM39NOMPW7DXGQM/EAgQMq3
|
2
app3.maintorna.com(34.73.201.12)
34.73.201.12
|
1
SURICATA HTTP unable to match response to request
|
|
3.6 |
|
13 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45716 |
2021-04-28 09:44
|
reg.dot dbd4eec520900e9ae109ee7a1ab2494b
LokiBot Malware download VirusTotal Malware c&c MachineGuid Malicious Traffic Check memory exploit crash unpack itself Windows Exploit Trojan DNS crashed Downloader |
2
http://amrp.tw/kayo/gate.php - rule_id: 1177
http://amrp.tw/kayo/gate.php
|
3
amrp.tw(35.247.234.230) - mailcious
35.247.234.230 - mailcious
107.173.219.80 - malware
|
14
ET MALWARE Trojan Generic - POST To gate.php with no referer
ET MALWARE LokiBot User-Agent (Charon/Inferno)
ET MALWARE LokiBot Checkin
ET MALWARE LokiBot Request for C2 Commands Detected M1
ET MALWARE LokiBot Request for C2 Commands Detected M2
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M1
ET MALWARE LokiBot Application/Credential Data Exfiltration Detected M2
ET MALWARE LokiBot Fake 404 Response
ET INFO Executable Download from dotted-quad Host
ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
1
http://amrp.tw/kayo/gate.php
|
5.2 |
M |
24 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45717 |
2021-04-28 09:40
|
mazx.exe 342d651660cf2b0587d25f343aff786f
Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces suspicious process WriteConsoleW Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
4
http://ldvamlwhdpetnyn.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-4C040980FB238F42747D4200E39E5134.html - rule_id: 1176
http://ldvamlwhdpetnyn.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-4C040980FB238F42747D4200E39E5134.html
http://ldvamlwhdpetnyn.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-E6414DF053ECE16DD340D40A0368921A.html - rule_id: 1176
http://ldvamlwhdpetnyn.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-E6414DF053ECE16DD340D40A0368921A.html
|
2
ldvamlwhdpetnyn.ml(172.67.208.174)
104.21.85.176
|
1
ET INFO DNS Query for Suspicious .ml Domain
|
2
http://ldvamlwhdpetnyn.ml/liverpool-fc-news/
http://ldvamlwhdpetnyn.ml/liverpool-fc-news/
|
13.2 |
M |
19 |
guest
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45718 |
2021-04-28 09:32
|
...................dot d89c98c484e9c5a9b95118076be9258a
Malware download VirusTotal Malware MachineGuid Malicious Traffic exploit crash unpack itself Windows Exploit DNS crashed |
1
http://192.3.22.5/ch/svch.exe
|
2
192.3.22.5 - mailcious
194.5.98.208
|
5
ET INFO Executable Download from dotted-quad Host
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
|
|
6.2 |
M |
28 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45719 |
2021-04-28 09:29
|
dl2.exe c4539adb4566822ab8dfe45aa3d5ca63
VirusTotal Malware RCE DNS |
|
|
|
|
1.8 |
M |
7 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45720 |
2021-04-28 09:28
|
mazx.exe 342d651660cf2b0587d25f343aff786f
AsyncRAT backdoor Browser Info Stealer FTP Client Info Stealer VirusTotal Email Client Info Stealer Malware suspicious privilege Code Injection Malicious Traffic Check memory Checks debugger buffers extracted unpack itself Check virtual network interfaces suspicious process WriteConsoleW Windows Browser Email ComputerName DNS Cryptographic key Software crashed keylogger |
2
http://ldvamlwhdpetnyn.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-4C040980FB238F42747D4200E39E5134.html
http://ldvamlwhdpetnyn.ml/liverpool-fc-news/features/steven-gerrard-liverpool-future-dalglish--goal-E6414DF053ECE16DD340D40A0368921A.html
|
2
ldvamlwhdpetnyn.ml(172.67.208.174)
172.67.208.174
|
1
ET INFO DNS Query for Suspicious .ml Domain
|
|
14.8 |
|
19 |
ZeroCERT
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|